Secondary menu

Category Archives: SAP News

It is this time of the year for many companies: Everybody is nervous, stressed as the auditors are in, requesting countless documents you may or may not have.

External auditors are breathing down my neck…
I need to get them on-time, accurate reports.

Many hours are spent digging into data, producing reports, generate data dumps for the auditors. Once they get the information, more countless man hours are spent providing additional information as the sampling did not produce the auditors were looking for.

Monitoring SoD security is tedious and reactionary.

Most of companies struggle or fail their audits because of the following challenges:

too many SoD violations

change control issues moving program changes to production that should not be there

the usage of your Emergency Id’s is not documented properly

User provisioning is done in a formal way

No accountability for changing user access due to lack of role ownership

Roles with conflicting transactions cause SoD issues

System Administrators and SAP Security staff have too much access

Manual methods are very time-consuming and require dedicated resources to pull reports.

Manually extracting data out of enterprise software products is complex and prone to errors.

Manual methods hurt the quality of the audit — often producing results with false positives, creating re-dos and more work for auditors.

Risks are managed mostly during the periodic audits and not proactively

This is just to mention a few. The most important issues, however ,that many companies have not kept up to date with SAP Security architecture for the following reasons:

SAP had been rolled out and the implementer has left the project without proper hand-over

Company has merged or business has been divested without considering SAP Security properly

Using of one-fits-all resource doing SAP Security, Basis and other chores at the same time

Business has changed and SAP Security has been patched as the original design doesn’t meet the new requirements

Users have changed position and new access has not been re-certified again but new roles have been added to previous job description

User access has been copied from user to user rather than redefined during on-boarding process

We are here to help you to make sense out of your SAP Security Landscape. Let us schedule a free discovery call to find out what your issues are and discuss what your option are.

We are now asking you to help us so that we can help you! As simple as that.

Our goal is to offer affordable solutions to SAP Customers that do not have the luxury of having a big SAP Security / Basis team. Sometimes small changes to your daily activities an free up more time for your team to perform tasks that are business critical and help them to focus on what is important.

If your main issue is a lack of a GRC solution to perform regular SoD analysis, including a pro-active SoD analysis before access is granted and/or manage your Emergency Requests, you may want to consider our State of the Art subscription based solution.

Identify Segregation of Duties Access Conflicts in Minutes

Having the proper Segregation of Duties (SoD) policies in place is only one small piece of the compliance puzzle. Reporting and auditing on SoD access in SAP® is a large, virtually impossible undertaking without the proper reporting tool. Meanwhile the need to identify potential access conflicts is required as part of the auditing process – and is even the law for public companies subject to Sarbanes-Oxley (SOX) legislation.

Segregation of Duties Analysis is a central feature of ERP Maestro’s online reporting service. The Conflict Risk Overview and User Conflict Matrix are two key reports that use 100% of SAP user data to provide business process owners (BPOs) all the visual intelligence they need to:

Quickly identify all potential access conflicts – not just a sample

Breaks down conflicts by risk level

Pinpoint conflicts from overused or underused access

Begin the remediation process immediately

Did this article trigger some interest? If yes, feel free to contact me and let me know how we can help you.

We now offer SAP Security Assessments and subscription based Risk Analysis.

If you run an ERP system such as SAP, it is critical to consider your security design proactively rather than fixing issues year after year when the auditors point out that users have serious SoD conflicts. To prevent this from happening, you need a sound SAP Security strategy. This applies most importantly for new SAP implementations, when SAP Security needs to be taken into consideration early on, as well as if your business is transformed due to mergers, reorganizations and new acquisitions. Organizational changes happen all the times and you need to be flexible enough to address these changes by maintaining your users risk free without huge overhead.

For smaller companies, purchasing and implementing a GRC solution can be very costly. However, not being compliant and having a lot of risks can be more costly over time if someone with excessive access commits fraudulent activities.

During one of our assessments, we noticed that one of the system administrator wanted to give access to a transaction that allows to maintain data to a end-user who requested that specific transaction, but believing it was a display transaction. Most likely, the user did remember an incorrect transaction code as the one the user requested is not related to what the user wanted to do.

The administrator suggested to give access to the transaction anyways as the user may need it and that someone may have suggested this particular transaction. The access had been approved by a VP was another reason why the admin wanted still go to ahead with this request. Today, this transaction may not be an issue as the user will request another one after finding out that the transaction was not what they really wanted. The bad thing about this is, that new transactions are introduced which the user may never need and may cause Segregation of Duties conflicts down the road and cause additional usage analysis cleanup efforts in the future.

If this sounds familiar, you may want to consider a complimentary Risk Analysis for up to 100 users to see how many risks your organization has. Please contact us for more information.

As we were reviewing the list of SAP Security Notes from June we had a closer look at note 1844202 and would like to alert our visitors about the importance and risk of this vulnerability. At first, we did not realize the potential danger until we played around with it.

Please review and implement SAP Security Note 1844202 without any delays as it addresses an important flaw within SUIM, in particular with report RSUSR002. Didn’t we tell you not to hard-code any user-names? Well, this report has a piece of code that reads: Continue reading SAP Security Advisory: SUIM Security Flaw→

Free SAP-Certified Vulnerability Scan

SAP platforms are one of the highest priority targets for cyber-criminals and intruders. Many organizations are already taking proactive steps to secure their platforms by performing security assessments to identify and mitigate vulnerabilities.

Onapsis, in conjunction with Davatec Consulting, is offering a free, one time, one instance vulnerability scan of your SAP environment using Onapsis X1, the industry’s first SAP-certified solution for the automated security assessments of SAP platforms. Utilizing the results from the scan will allow you to gain visibility into the challenge your organization is facing when securing SAP platforms.

Welcome to our August 2013 SAP Security Newsletter. This is our second Newsletter this year and feedback has been great.

In July 2013, SAP released 34 security related OSS notes. Below the statistics:

8 Notes are not rated with a CVSS code

16 Notes are rated with a CVSS code between 3.5 to 5.0

10 Notes are rated with a CVSS code of 6, none above

Below a few highlights from the July 2013 Security Notes. Keep up the good job and make sure your SAP systems are safe!

1823687

BC-SEC-LGN

Potential information disclosure relating to user existence

Information such as the existence of users can be discovered using a failed logon attempt. Solution: Configure the ABAP server to reply all logon attempts which fail due to invalid or not validated credentials with an error message not disclosing any details regarding the failure reason. This information may be used by an attacker to further target system access by password logon.

1870605

BC-DB-HDB

Privilege escalation in SAP HANA

The vulnerability is caused by a security problem in the program’s source code. An attacker who has specific information can log on to the system with high system privileges without having been assigned legitimate access by the system administrator(s).

1798286

SCM-BAS-EHS

Potential modif./disclosure of persisted data in SCM

The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered by an attacker. The manipulated SQL statement can then be used to retrieve additional data from the database, or to modify this data.

Revisiting old SAP Security notes!

Please read our blog about one of our most visited posts to prevent users to make changes to tables, such as master & transaction tables with SE16N! Have you implemented SAP Notes 1420281, 1473881 and 1446530 to mention a few? We have seen that a number of clients still have not implemented all notes, especially the one that allows to change/view data across clients with UASE16N! If you think your HR data is save by having the data on its own client, think again!

Welcome to our first SAP Security Advisory Post. Depending on feedback, we will outline all SAP Security notes issued by SAP each following month and make these available to you. As you know, each SAP Security with vulnerabilities is generally rated with a Common Vulnerability Scoring System (CVSS V 2.0) code. The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. SAP is adopting CVSS version 2.0.

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score. The Base group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any user’s environment. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities.

We will issue tips & tricks and additional Vulnerability issues in future Newsletters as well as what your organization can do to be prepared and informed about potential risks to your SAP infrastructure. Below the outline of all SAP Security notes issued in June 2013: Continue reading SAP Security Notes June 2013→